- How do I use OpenSSL to set up my own Certificate Authority (CA)?
- Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat!
- What about Tomcat running as root?
- How do I force all my pages to run under HTTPS?
- What is the default login for the manager and admin app?
- How do I restrict access by ip address or remote host?
- How do I use jsvc/procrun to run Tomcat on port 80 securely?
- Has Tomcat's security been independently analyzed or audited?
- How do I change the Server header in the response?
- Why are passwords in plain text?
- How can I restrict the list of ciphers used for HTTPS?
- Which cipher suites should I use?
- Is Tomcat affect by Log4Shell CVE-2021-44228?
- I found a vulnerability in JMXProxy
More details on these CVE's via the ASF blog
JMXProxy is a powerful servlet which has full access to all JMX capabilities. By design, enabling it opens you to a lot of security challenges. The equivalent of enabling generic remote JMX access at the JVM level.
With that in mind, if you enable it: You should at a minimum require an extremely strong password to protect this URL as well restrict the IP client list which may access it. (Ideally restricting it to localhost if possible)